Embed Size (px)
Citation preview
Efficient arithmetic on elliptic curvesin characteristic 2
David Kohel
Institut de Mathematiques de LuminyUniversite d’Aix-Marseille
163, avenue de Luminy, Case 90713288 Marseille Cedex 9
France
Abstract. We present normal forms for elliptic curves over a field ofcharacteristic 2 analogous to Edwards normal form, and determine basesof addition laws, which provide strikingly simple expressions for thegroup law. We deduce efficient algorithms for point addition and scalarmultiplication on these forms. The resulting algorithms apply to any el-liptic curve over a field of characteristic 2 with a 4-torsion point, via anisomorphism with one of the normal forms. We deduce algorithms forduplication in time 2M + 5S + 2mc and for addition of points in time7M + 2S, where M is the cost of multiplication, S the cost of squar-ing, and mc the cost of multiplication by a constant. By a study of theKummer curves K = E/{[±1]}, we develop an algorithm for scalar mul-tiplication with point recovery which computes the multiple of a pointP with 4M + 4S + 2mc + mt per bit where mt is multiplication by aconstant that depends on P .
1 Introduction
The last five years have seen significant improvements in the efficiency of knownalgorithms for arithmetic on elliptic curves, spurred by the introduction of theEdwards model [11] and its analysis [1, 2, 13]. Previously, it had been recognizedthat alternative models of elliptic curves could admit efficient arithmetic [8],but the fastest algorithms could be represented in terms of functions on ellipticcurves embedded in P2 as Weierstrass models.
Among the best alternative models one finds a common property of symme-try. They admit a large number of (projective) linear automorphisms, often givenby signed or scaled coordinate permutations. An elliptic curve with j-invariantj 6= 0, 123 admits only {[±1]} as automorphism group fixing the identity element.However, as a genus 1 curve, it also admits translations by rational points, anda translation morphism τQ(P ) = P +Q on E is projectively linear, i.e. inducedby a linear transformation of the ambient projective space, if and only if E isa degree n model determined by a complete linear system in Pn−1 and Q is inthe n-torsion subgroup. As a consequence the principal models of cryptographicinterest are elliptic curves in P2 with rational 3-torsion points (e.g. the Hessian
models) and in P3 with 2-torsion or 4-torsion points (e.g. the Jacobi quadraticintersections and Edwards model), and unfortunately, the latter models do nothave good reduction to characteristic 2. The present work aims to fill this gap.
A rough combinatorial explanation for the role of symmetry in efficiency isthe following. Suppose that the sum of x = (x0 : · · · : xr) and y = (y0 : · · · : yr)is expressed by polynomials (p0(x, y) : · · · : pr(x, y)) of low bidegree, say (2, 2),in xi and yj . Such polynomials form a finite dimensional space. A translationmorphism τ given by scaled coordinate transformation on E determines a newtuple (p0(τ(x), τ−1(y)) : . . . , pr(τ(x), τ−1(y))). If (p0(x, y) : · · · : pr(x, y)) isan eigenvector for this transformation then it tends to have few monomials. Inthe case of Hessian, Jacobi, Edwards, and similar models, there exist bases ofeigenvector polynomial addition laws such that the pj achieve the minimal valueof two terms.
Section 2 recalls several results, observations, and conclusions of Kohel [17]on symmetries of elliptic curves in their embeddings. As illustration, Section 3recalls the main properties of the Edwards model as introduced by Edwards [11],reformulated by Bernstein and Lange [1] with twists by Bernstein et al. [2],and properties of its arithmetic described in Hisil et al. [13] and Bernstein andLange [3].
This background motivates the introduction and classification of new mod-els for elliptic curves in Section 4, based on imitation of the desired propertiesof Edwards curves, and in Section 5 we present new elliptic curve models, theZ/4Z-normal form and the split µµ4-normal form, which satisfy these proper-ties. In Section 6 we classify all symmetric quartic elliptic curves in P3 with arational 4-torsion point, up to projective linear isomorphism.1 In particular weprove that any such curve is linearly isomorphic to one of these two models. InSection 7 we determine the polynomial addition laws and resulting complexityfor arithmetic on these forms. Finally Section 8 develops models for the Kum-mer curve K = E/{[±1]} and exploits an embedding of E in K 2 in order todevelop a Montgomery ladder for scalar multiplication with point recovery. Sec-tion 9 summarizes the new complexity results for these models in comparisonwith previously known models and algorithms. An appendix gives the additionlaws for a descended µµ4-normal form that allows us to save on multiplicationsby constants involved in the curve equation.
Notation.In what follows we use M and S for the complexity of multiplication and
squaring, respectively, in the field k, and mc for a multiplication by a fixed(possibly small) constant c (or constants ci).2 For the purposes of complexityanalysis we ignore field additions.
1 Note that any quartic plane model has a canonical extension to a nonsingular quarticmodel in P3 by extending to a complete linear system.
2 When the small constant is a bounded power of a fixed constant we omit the squar-ings or products entailed in its construction and continue to consider cO(1) a fixedconstant.
When describing a morphism ϕ : X → Y given by polynomial maps, wewrite
ϕ(x) =
(p1,0(x) : · · · : p1,n(x)
),
...(pm,0(x) : · · · : pm,n(x)
),
to indicate that each of the tuples of polynomials (pi,0(x), . . . , pi,n(x)) defines themorphism on an open neighborhood Ui ⊂ X, namely on the complement of thecommon zeros pi,0(x) = · · · pi,m(x) = 0, that any two agree on the intersectionsUi ∩ Uj , and that the union of the Ui is all of X.
For the projective coordinate functions on Pr, with r > 3, we use Xi and sox = (X0 : · · · : Xr) represents a generic point. We also use Xi for their restrictionto a curve E, in which case the Xi are defined modulo the defining ideal of E.In the product Pr × Pr, we continue to write x for the first coordinate and use(x, y) for a generic point in Pr × Pr, where y = (Y0 : · · · : Yr).
2 Elliptic curves with symmetries
We consider conditions for an elliptic curve embedding in Pr to admit many pro-jective linear transformations, or symmetries. In what follows, we recall standarddefinitions and conclusions drawn from Kohel [17] (reformulated here withoutthe language of invertible sheaves). The examples of Hessian curves and Edwardscurves3 play a pivotal role in motivating [17] and further examples (see Bernsteinand Lange [3], Joye and Rezaeian Farashahi [14], Kohel [17, Section 8]) suggestthat such symmetries go hand-in-hand with efficient forms for their arithmetic.4
The automorphism group of an elliptic curve E is a finite group, and ifj(E) 6= 0, 123, this group is { [±1] }. Inspection of standard projective modelsfor elliptic curves shows that the symmetry group can be much greater. Thedisparity is explained by the existence of subgroups of rational torsion. Theautomorphism group of an elliptic curve is defined to be the automorphisms ofthe curve which fix the identity point, which does not include translations. Forany rational torsion point T , the translation-by-T map τT is an automorphismof the curve, which may give rise to the additional symmetries.
We restrict to models of elliptic curves given by complete linear systems of agiven degree d. Basically, such a curve is defined by E ⊂ Pr such that r = d− 1,E is not contained in any hyperplane, and any hyperplane H intersects E inexactly d points, counted with multiplicities. For embedding degree 3, such a
3 In particular my discussions of symmetries with Bernstein and Lange motivated astudy of symmetries in the unpublished work [5] (see the EFD [6]) on twisted Hessiancurves, picked up by Joye and Rezaeian Farashahi [14] after posting to the EFD).This further led the author to develop a general framework for symmetries and toclassify the linear action of torsion in [17].
4 By efficient forms, we mean sparse polynomials expressions with small coefficients.These may or may not yield the most efficient algorithms, as seen in comparing theevaluation of similarly sparse addition laws for the Edwards and Z/4Z-normal forms.
curve is given by a single homogeneous form F (X,Y, Z) of degree 3, and fordegree 4 we have an intersection of two quadrics in P3. Quartic plane modelsformally lie outside of this scope — they are neither nonsingular nor given by acomplete linear system — but determine a unique degree 4 elliptic curve in P3
after completing the basis of functions. As in the case of the Edwards curve, wealways pass to this model to apply the theory.
Definition 1. Let E ⊂ Pr be an elliptic curve embedded with respect to a com-plete linear system. We say that E is a symmetric model if [−1] is induced by aprojective linear transformation of Pr.
We next recall a classification of symmetric embeddings of elliptic curves(cf. Kohel [17, Lemma 2] for the statement in terms of invertible sheaves).
Lemma 2. Let E ⊂ Pr be an elliptic curve over k embedded with respect toa complete linear system. There exists a point S in E(k) such that for anyhyperplane H in Pr not containing E, the set of points in the intersection E ∩H = {P0, . . . , Pr}, in E(k), counted with multiplicity, sum to S. The model issymmetric if and only if S is in the subgroup E[2] of 2-torsion points.
Definition 3. Let E be a degree d embedding in Pr with respect to a completelinear system, and let S be the point as in the previous lemma. We define theembedding divisor class of E to be (d− 1)(O) + (S).
We describe here the classification of elliptic curves with projective embed-ding, up to linear isomorphism, rather than isomorphism.5 The notion of isomor-phisms given by linear transformations plays an important role in the additionlaws, since such a change of variables gives an isomorphism between the respec-tive spaces of addition laws of fixed bidegree (m,n), as described in Kohel [17,Section 7]. For a point T , we denote the translation-by-T morphism by τT , givenby τT (P ) = P + T . We now recall the classification of symmetries which arisefrom the group law [17, Lemma 5].
Lemma 4. Let E ⊂ Pr be embedded with respect to the complete linear systemof degree d and let T be in E(k). The translation-by-T morphism is induced bya projective linear automorphism of Pr if and only if dT = O.
Similarly, we recall the classification of projective linear isomorphisms be-tween curves in Pr (see Kohel [17, Lemma 3] for a slightly stronger formulation).
Lemma 5. Let E1 and E2 be isomorphic elliptic curves embedded in Pr withrespect to complete linear systems of the same degree d. An isomorphism ϕ :E1 → E2 is induced by a projective linear transformation if and only if ϕ(S1) =S2, where Si ∈ Ei(k) determine the embedding divisor classes (d− 1)(O) + (Si)of the embeddings.5 In recent cryptographic literature, there has been a trend to refer to existence of a
birational equivalence. In the context of elliptic curves, by definition nonsingular pro-jective curves, this concept coincides with isomorphism, and we want to identity thesubclass of isomorphisms which are linear with respect to the coordinate functionsof the given embedding.
Remark. By definition, an isomorphism ϕ : E1 → E2 of elliptic curves takesthe identity of E1 to the identity of E2. It may be possible to define a projectivelinear transformation from E1 to E2 which does not respect the group identities(hence is not a group isomorphism).
3 Properties of the Edwards normal form
In this section we suppose that k is a field of characteristic different from 2.To illustrate the symmetry properties of the previous section and motivate theanalogous construction in characteristic 2, we recall the principal properties ofthe Edwards normal form, summarizing work of Edwards [11], Hisil et al. [13],and Bernstein and Lange [3]. We follow the definitions and notation of Kohel [17],defining the twisted Edwards normal form E/k in P3:
cX21 +X2
2 = X20 + dX2
3 , X0X3 = X1X2, O = (1 : 0 : 1 : 0).
Edwards model for elliptic curves
In 2007, Edwards introduced a new model for elliptic curves [11], defined by theaffine model
x2 + y2 = a2(1 + z2), z = xy,
over any field k of characteristic different from 2. The complete linear systemassociated to this degree 4 model has basis {1, x, y, z} such that the image (1 :x : y : z) is a nonsingular projective model in P3:
X21 +X2
2 = a2(X20 +X2
3 ), X0X3 = X1X2,
with identity O = (a : 0 : 1 : 0), as a family of curves over k(a) We hereafter referto this model as the split Edwards model. Bernstein and Lange [1] introduceda rescaling to descend to k(d) = k(a4), and subsequently (with Joye, Birkner,and Peters [2]) a quadratic twist by c, to define the twisted Edwards model withO = (1 : 0 : 1 : 0):
cX21 +X2
2 = X20 + dX2
3 , X0X3 = X1X2.
The twisted Edwards model in this form appears in Hisil et al. [13] (as extendedEdwards coordinates), which provides the most efficient arithmetic. We nextrecall the principal properties of the Edwards normal form (with c = 1).
Symmetry properties
1. The embedding divisor class is 3(O) + (S) where S = 2T .2. The point T = (1 : −1 : 0 : 0) is a rational 4-torsion point.
3. The translation–by–T and inverse morphisms are given by:
τT (X0 : X1 : X2 : X3) = (X0 : −X2 : X1 : −X3),[−1](X0 : X1 : X2 : X3) = (X0 : −X1 : X2 : −X3).
4. The model admits a factorization s ◦ (π1 × π2) through P1 × P1, where
π1(X0 : X1 : X2 : X3) ={
(X0 : X1),(X2 : X3)
, π2(X0 : X1 : X2 : X3) ={
(X0 : X2),(X1 : X3).
and s is the Segre embedding
s((U0 : U1), (V0 : V1)) = (U0V0 : U1V0 : U0V1 : U1V1).
Remark. The linear expression for [−1] implies that the embedding is sym-metric. This linearity is a consequence of the form of the embedding divisor3(O) + (S), in view of Lemma 2. In addition the two projections are symmetric,in the sense that they are stable under [−1]. This is due to the fact that thedivisors 2(O) = π∗1(∞) and (O) + (T ) = π∗2(∞) are symmetric.
A remarkable factorization
Hisil et al. [13] discovered amazingly simple bilinear rational expressions for theaffine addition laws, which can be described as a factorization of the additionlaws through the isomorphic curve in P1 × P1 (see Bernstein and Lange [3] forfurther properties). As a consequence of the symmetry of the embedding andits projections, the composition of the addition morphism µ : E × E −→ Ewith each of the projections πi : E → P1 admits a basis of bilinear definingpolynomials. For π1 ◦ µ π1 ◦ µ, respectively, we have{
(X0Y0 + dX3Y3, X1Y2 +X2Y1),(cX1Y1 +X2Y2, X0Y3 +X3Y0)
}and
{(X1Y2 −X2Y1, −X0Y3 +X3Y0),(X0Y0 − dX3Y3, −cX1Y1 +X2Y2)
}·
Addition laws given by polynomial maps of bidegree (2, 2) are recovered bycomposing with the Segre embedding. This factorization led the author to provedimension formulas for these addition law projections and classify the exceptionaldivisors [17]. In particular, this permits one to prove a priori the form of theexceptional divisors described in Bernstein and Lange [3, Section 8], show thatthese addition laws span all possible addition laws of the given bidegree, andconclude their completeness.
4 Axioms for a D4-linear model
The previous sections motivate the study of symmetric quartic models of ellipticcurves with a rational 4-torsion point T . For such a model, we obtain a 4-dimensional linear representation of D4
∼= 〈[−1]〉 n 〈τT 〉, induced by the actionon the linear automorphisms of P3. Here we give characterizations of ellipticcurve models for which this representation is given by coordinate permutation.
Suppose that E/k is an elliptic curve with char(k) = 2 and T a rational4-torsion point. In view of the previous lemmas and the properties of Edwards’normal form, we consider reasonable hypotheses for a characteristic 2 analog.We note that in the Edwards model, τT acts by signed coordinate permutation,which we replace with a permutation action in characteristic 2.
1. The embedding of E → P3 is a quadratic intersection.2. E has a rational 4-torsion point T .3. The group 〈[−1]〉 n 〈τT 〉 ∼= D4 acts by coordinate permutation, and in par-
ticular τT (X0 : X1 : X2 : X3) = (X3 : X0 : X1 : X2).4. There exists a symmetric factorization of E through P1 × P1.
Combining conditions 3 and 4, we assume that E lies in the skew-Segre imageX0X2 = X1X3 of P1 × P1. In order for the representation of τT to stabilize theimage of P1 × P1, we have
P1 × P1 −→ P3,
whose image is X0X2 = X1X3, in isomorphism with P1 × P1 by the projections
π1(X0 : X1 : X2 : X3) ={
(X0 : X1),(X3 : X2),
, π2(X0 : X1 : X2 : X3) ={
(X0 : X3),(X1 : X2).
Secondly, up to isomorphism, there are two permutation representations of D4,both having the same image. The two representations are distinguished by theimage of [−1], up to coordinate permutation, being one of the two
[−1](X0 : X1 : X2 : X3) = (X3 : X2 : X1 : X0) or (X0 : X3 : X2 : X1).
Considering the form of the projection morphisms π1 and π2, we see that onlythe first of the possible actions of [−1] stabilizes π1 and π2, while the secondexchanges them. In the next section we are able to write down a normal formwith D4-permutation action associated to each of the possible actions of [−1].
5 Normal forms
The objective of this section is to introduce elliptic curve models which satisfythe desired axioms of the previous section. After their definition we list their mainproperties, whose proof is essentially immediate from the symmetry propertiesof the model. We first present the objects of study over a general field k beforepassing to k of characteristic 2. Additional details of their construction can befound in the talk notes [18] where they were first introduced.
Definition 6. An elliptic curve E/k in P3 is said to be in Z/4Z-normal formif it is given by the equations
X20 −X2
1 +X22 −X2
3 = eX0X2 = eX1X3,
with identity O = (1 : 0 : 0 : 1).
The Z/4Z-normal form is the unique model, up to linear isomorphism (seeTheorem 12), satisfying the complete set of axioms of the previous section. Ifwe drop the condition for the factorization through P1 × P1 (condition 4), weobtain the following normal form, which admits the alternative action of [−1].
Definition 7. An elliptic curve C/k in P3 is said to be in split µµ4-normal formif it is given by the equations
X20 −X2
2 = c2X1X3, X21 −X2
3 = c2X0X2,
with identity O = (c : 1 : 0 : 1).
These normal forms both have good reduction in characteristic 2. The Z/4Z-normal form admits a rational 4-torsion point T = (1 : 1 : 0 : 0), and theisomorphism
〈T 〉 = {(1 : 0 : 0 : 1), (1 : 1 : 0 : 0), (0 : 1 : 1 : 0), (0 : 0 : 1 : 1)} ∼= Z/4Z
gives the name to curves in this form.On the split µµ4-normal form, the point T = (1 : c : 1 : 0) is a rational 4-
torsion point, and if char(k) 6= 2 and there exists a primitive 4-th root of unityi in k, then R = (c : i : 0,−i) is a rational 4-torsion point (dual to T under theWeil pairing) such that 〈T,R〉 = C[4]. The subgroup
〈R〉 = {(c : 1 : 0 : 1), (c : i : 0 : −i), (c : −1 : 0 : −1), (c : −i : 0 : i)} ∼= µµ4
is a group (scheme) isomorphic to the group (scheme) µµ4 of 4-th roots of unity,which gives the name to this normal form. The nonsplit variant (see Remarkfollowing Corollary 21) descends to any subfield containing c4, does not neces-sarily have a rational 4-torsion point, but in the application to elliptic curvesover finite fields of characteristic 2, every such model can be put in the splitform. The action of the respective points T by translation gives the coordinatepermutation action which we desire, the dual subgroup 〈R〉 degenerates in char-acteristic 2 to the identity group {O} = {(c : 1 : 0 : 1)}, and the embeddingdivisor 3(O) + (S), where S = 2R, degenerates to 4(O). Hereafter we considerthese models only over a field of characteristic 2.
We now formally state and prove the main symmetry properties of the newmodels over a field of characteristic 2 with analogy to the Edwards model.
Theorem 8. Let E/k be a curve in Z/4Z-normal form over a field of charac-teristic 2.
1. The embedding divisor class is 3(O) + (S) where S = (0 : 1 : 1 : 0) = 2T .2. The point T = (1 : 1 : 0 : 0) is a rational 4-torsion point.3. The translation–by–T and inverse morphisms are given by:
τT (X0 : X1 : X2 : X3) = (X3 : X0 : X1 : X2),[−1](X0 : X1 : X2 : X3) = (X3 : X2 : X1 : X0).
4. E admits a factorization through P1 × P1, where
π1(X0 : X1 : X2 : X3) ={
(X0 : X1),(X3 : X2),
, π2(X0 : X1 : X2 : X3) ={
(X0 : X3),(X1 : X2).
More precisely, if (U0, U1) and (V0, V1) are the coordinate functions on P1 × P1,the product morphism π1×π2 determines an isomorphism E → E1, where E1 isthe curve (U0 +U1)2(V0 +V1)2 = cU0U1V0V1, whose inverse is the restriction ofthe skew-Segre embedding ((U0 : U1), (V0 : V1)) −→ (U0V0 : U1V0 : U1V1 : U0V1).
Proof. The correctness of the forms for [−1] and τT follow from the fact that theyare automorphisms, that the asserted map for [−1] fixes O and that for τT has nofixed point, and that τT (O) = T . Since τ4
T = 1, it follows that T is 4-torsion. Thehypersurface X0 +X1 +X2 +X3 = 0 cuts out the subgroup 〈T 〉 ∼= Z/4Z, whichdetermines the embedding divisor class as 3(O)+(S) where S = O+T+2T+3T =2T ∈ E[2]. The factorization is determined by the automorphism group, and theimage curve can be verified by elementary substitution. ut
Lemma 9. The Z/4Z-normal form is isomorphic to a curve in Weierstrassform Y (Y + X)Z = X(X + c−1Z)2. The linear map (X : Y : Z) = (X1 + X2 :X2 : c(X0 +X3)) defines the isomorphism except at O.
Proof. The existence of a linear map is implied by Kohel [17, Lemma 3], andthe exact form of this map can be easily verified. The exceptional divisor of thegiven rational map follows since X1 = X2 = 0 only meets the curve at O. ut
Theorem 10. Let C/k be a curve in µµ4-normal form over a field of character-istic 2.1. The embedding divisor class of C is 4(O).2. The point T = (1 : c : 1 : 0) is a rational 4-torsion point.3. The translation–by–T and inverse morphisms are given by:
τT (X0 : X1 : X2 : X3) = (X3 : X0 : X1 : X2),[−1](X0 : X1 : X2 : X3) = (X0 : X3 : X2 : X1).
Proof. As in Theorem 8, the correctness of automorphisms is implied by actionon the points O and T , and the relation τ4
T = 1 shows that T is 4-torsion. Sincethe hyperplanes Xi = 0 cut out the divisors 4(Ti+2) where Tk = kT , and T is4-torsion, this gives the form of the embedding divisor class. ut
Lemma 11. An elliptic curve in split µµ4-normal form is isomorphic to the curveY (Y + X)Z = X(X + c−2Z)2 in Weierstrass form. The linear map (X : Y :Z) = (c(X1 +X3) : X0 + cX1 +X2 : c4X2) defines the isomorphism except at O.
Proof. As above, the existence of a linear map is implied by Kohel [17, Lemma 3],and the exact form of this map can be easily verified. The exceptional divisor ofthe given rational map follows since X2 = 0 only meets the curve at O. ut
Remark. The rational maps of Lemma 9 and 11 extend to isomorphisms, butthere is no base-point free linear representative for these isomorphisms.
6 Isomorphisms with normal forms
Let Ec2 denote an elliptic curve in Z/4Z-normal form and Cc a curve in µµ4-normal form. By Lemmas 9 and 11, the curves Ec2 and Cc are isomorphic, butby classification of their embedding divisor classes in Theorems 8 and 10, itfollows from Lemma 4 that there is no linear isomorphism between them. In thissection we obtain a classification of curves over with rational 4-torsion point andmake the isomorphism explicit for Ec2 and Cc.
Theorem 12. Let X/k be an elliptic curve over a field k of characteristic 2,with identity O and k-rational point T of order 4, and suppose that c is anelement of k such that j(X) = c8.
1. There exists a unique isomorphism of X over k to a curve Ec2 in Z/4Z-normal form sending O to (1 : 0 : 0 : 1) and T to (1 : 1 : 0 : 0).
2. There exists a unique isomorphism of X over k to a curve Cc in split µµ4-normal form sending O to (c : 1 : 0 : 1) and T to (1 : c : 1 : 0).
If X is embedded as a symmetric quartic model in P3, then either the isomor-phism of X with Ec2 or the isomorphism with Cc is induced by a linear auto-mophism of P3.
Proof. The j-invariants of Ec2 and Cc are each c8 (6= 0 since X is not super-singular by existence of a 2-torsion point), which implies the existence of theisomorphisms over the algebraic closure. The rational 4-torsion point T fixes thequadratic twist, hence the isomorphism is defined over k. Since there is a unique2-torsion point S = 2T , the embedding divisor of X in P3 is either 3(O) + (S)or 4(O) by Lemma 2. In the former case, the isomorphism to Ec2 is linear, andin the latter case the isomorphism to Cc is linear by Lemma 5. ut
The following theorem classifies the isomorphisms between Ec2 and Cc.
Theorem 13. Let Cc be an elliptic curve in split µµ4-normal form and Ec2 anelliptic curve in Z/4Z-normal form. Then there exists an isomorphism ι : Cc →Ec2 determined by the projections
π1 ◦ ι((X0 : X1 : X2 : X3)) ={
(cX0 : X1 +X3),(X1 +X3 : cX2),
π2 ◦ ι((X0 : X1 : X2 : X3)) ={
(X0 +X2 : cX1),(cX3 : X0 +X2).
The morphism to Ec2 is recovered by composing π1 × π2 with the skew-Segreembedding. The inverse morphism is given by
ι−1(X0 : X1 : X2 : X3) =
(X0X1 +X2X3 : cX2
2 : X0X1 + c2X1X2 +X2X3 : cX21 ),
(X0X3 : (X2 +X3)2 : X1X2 : (X0 +X1)2),((X0 +X3)2 : cX2X3 : (X1 +X2)2 : cX0X1),
(cX23 : X0X3 +X1X2 + c2X2X3 : cX2
2 : X1X2 +X0X3).
Neither ι nor its inverse can be represented by a projective linear transformation.
Proof. This correctness of this isomorphism can be verified explicitly (e.g. asimplemented in Echidna [19]). The nonexistence of a linear isomorphism is aconsequence of Lemma 4 and the classification of the embedding divisor classesin Theorems 8 and 10. ut
7 Addition law structure and efficient arithmetic
The interest in alternative models of elliptic curves has been driven by the simpleform of their addition laws — the polynomial maps which define the additionmorphism µ : E×E → E as rational maps. In this section we determine bases ofsimple forms for the addition laws of the Z/4Z-normal form and of the µµ4-normalform.
The verification that a system of putative addition laws determines a well-defined morphism can be verified symbolically. In particular we refer to theimplementations of these models and their addition laws in Echidna [19] (in theMagma [21] language) for a verification that the systems are consistent and definerational maps. The dimensions of the spaces of given bidegree are known a prioriby Kohel [17], as well as their completeness as morphisms. By the RigidityTheorem [22, Theorem 2.1], a morphism µ of abelian varieties is the compositionof a homomorphism and translation. In order to verify that µ : E×E → E is theaddition morphism, it suffices to check that the restrictions of µ to E×{O} and{O} × E agree with the restrictions of π1 and π2, respectively. Similarly, for aparticular addition law of bidegree (2, 2), the exceptional divisors, on which thepolynomials of the addition law simultaneously vanish, are known by Lange andRuppert [20] and the generalizations in Kohel [17] to have components of theform ∆P = {(P + Q,Q) | Q ∈ E}. Consequently, as pointed out in Kohel [17](Corollary 11 and the Remark following Corollary 12), the exceptional divisorscan be computed (usually by hand) by intersecting with E × {O}.
Addition law structure for the Z/4Z-normal form
Theorem 14. Let E/k, char(k) = 2, be an elliptic curve in Z/4Z-normal form:
(X0 +X1 +X2 +X3)2 = cX0X2 = cX1X3.
Bases for the bilinear addition law projections π1 ◦µ and π2 ◦µ are, respectively:{(X0Y3 +X2Y1, X1Y0 +X3Y2),(X1Y2 +X3Y0, X0Y1 +X2Y3)
}and
{(X0Y0 +X2Y2, X1Y1 +X3Y3),(X1Y3 +X3Y1, X0Y2 +X2Y0)
}·
Addition laws of bidegree (2, 2) are recovered by composition with the skew-Segreembedding s((U0 : U1), (V0 : V1)) = (U0V0 : U1V0 : U1V1 : U0V1). Each ofthese basis elements has an exceptional divisor of of the form 2∆nT for some0 ≤ n ≤ 3.
Proof. That the addition laws determine a well-defined morphism is verifiedsymbolically.6 The morphism is the addition morphism since the substitution6 In Echidna [19], the constructor is EllipticCurve C4 NormalForm after whichAdditionMorphism returns this morphism as a composition.
(Y0, Y1, Y2, Y3) = (1, 0, 0, 1), gives the projection onto the first factor. By sym-metry of the spaces in Xi and Yi, the same holds for the second factor.
The form of the exceptional divisor is verified by a similar substitution. Forexample, for the exceptional divisor X1Y2 + X3Y0 = X0Y1 + X2Y3 = 0, weintersect with (Y0, Y1, Y2, Y3) = (1, 0, 0, 1) to find X3 = X2 = 0, which definesthe unique point T = (1, 1, 0, 0) with a multiplicity of 2, hence the exceptionaldivisor is 2∆T . The other exceptional divisors are determined similarly. ut
Remark. We observe that the entire space of addition laws of bidgree (2, 2)is independent of the curve parameters. This is not a feature of the Edwardsaddition laws.
Corollary 15. Addition of generic points on E can be carried out in 12M.
Proof. Since each of the pairs is equivalent under a permutation of the inputvariables it suffices to consider the first, which each require 4M. Compositionwith the skew-Segre embedding requires an additional 4M, which yields thebound of 12M. ut
Evaluation of the addition forms along the diagonal yields the duplication for-mulas.
Corollary 16. Let E = Ec be an elliptic curve in Z/4Z-normal form. Theduplication morphism on E is given by
π1 ◦ [2](X0 : X1 : X2 : X3) = (X0X3 +X1X2 : X0X1 +X2X3),π2 ◦ [2](X0 : X1 : X2 : X3) = ((X0 +X2)2 : (X1 +X3)2),
composed with the skew-Segre embedding.
This immediately gives the following complexity for duplication.
Corollary 17. Duplication on E can be carried out in 7M + 2S.
Proof. The pair (X0X3 + X1X2, X0X1 + X2X3) can be computed with 3M byexploiting the usual Karatsuba trick using the factorization of their sum:
(X0X3 +X1X2) + (X0X1 +X2X3) = (X0 +X2)(X1 +X3).
After the two squarings, the remaining 4M come from the Segre morphism. ut
Addition law structure for the split µµ4-normal form
Theorem 18. Let C be an elliptic curve in split µµ4-normal form:
(X0 +X2)2 = c2X1X3, (X1 +X3)2 = c2X0X2.
A basis for the space of addition laws of bidegree (2, 2) is given by:
((X0Y0 +X2Y2)2, c(X0X1Y0Y1 +X2X3Y2Y3), (X1Y1 +X3Y3)2, c(X0X3Y0Y3 +X1X2Y1Y2)
),(
c(X0X1Y0Y3 +X2X3Y1Y2), (X1Y0 +X3Y2)2, c(X0X3Y2Y3 +X1X2Y0Y1), (X0Y3 +X2Y1)2),(
(X3Y1 +X1Y3)2, c(X0X3Y1Y2 +X1X2Y0Y3), (X0Y2 +X2Y0)2, c(X0X1Y2Y3 +X2X3Y0Y1)),(
c(X0X3Y0Y1 +X1X2Y2Y3), (X0Y1 +X2Y3)2, c(X0X1Y1Y2 +X2X3Y0Y3), (X1Y2 +X3Y0)2).
The exceptional divisor of each addition law is of the form 4∆nT .
Proof. As for the Z/4Z-normal form the consistency of the addition laws is ver-ified symbolically7 and the space is known to have dimension four by Kohel [17].Evaluation of the first addition law at (Y0, Y1, Y2, Y3) = (c, 1, 0, 1) gives
(c2X20 , c
2X0X1, (X1 +X3)2, c2X0X3).
Using (X1 + X3)2 = c2X0X2, after removing the common factor c2X0, thisagrees with projection to the first factor, and identifies the exceptional divisor4∆S where S is the 2-torsion point (0 : 1 : c : 1) with X0 = 0. ut
Corollary 19. Addition of generic points on C can be carried out in 7M+2S+2mc.
Proof. – Evaluate (Z0, Z1, Z2, Z3) = (X0Y0, X1Y1, X2Y2, X3Y3) with 4M.– Evaluate (X0Y0 +X2Y2)2 = (Z0 + Z2)2 with 1S.– Evaluate (X1Y1 +X3Y3)2 = (Z1 + Z3)2 with 1S.– Evaluate (X0Y0 +X2Y2)(X1Y1 +X3Y3) = (Z0 + Z2)(Z1 + Z3) followed by
X0X1Y0Y1 +X2X3Y2Y3 = Z0Z1 + Z2Z3
X0X3Y0Y3 +X1X2Y1Y2 = Z0Z3 + Z1Z2
using 3M, exploiting the linear relation (following Karatsuba):
(Z0 + Z2)(Z1 + Z3) = (Z0Z1 + Z2Z3) + (Z0Z3 + Z1Z2).
After two scalar multiplications by c, we obtain 7M + 2S + 2mc for thecomputation using the first addition law. ut
Specializing this to the diagonal we find defining polynomials for duplication.
Corollary 20. The duplication morphism on an elliptic curve C in split µµ4-normal form is given by
[2](X0 : X1 : X2 : X3) =((X0 +X2)4 : c(X0X1 +X2X3)2 : (X1 +X3)4 : c(X0X3 +X1X2)2).
This gives an obvious complexity bound of 3M+6S+2mc for duplication, how-ever we note that along the curve we have the following equivalent expressions:
c2(X0X1 +X2X3)2 = (X0 +X2)4 + c−4(X1 +X3)4 + F 2,c2(X0X3 +X1X2)2 = (X0 +X2)4 + c−4(X1 +X3)4 +G2,
7 The Echidna [19] constructor is EllipticCurve Split Mu4 NormalForm after whichAdditionMorphism returns this morphism as a composition.
for F = (X0 + cX3)(cX1 +X2) and G = (X0 + cX1)(X2 + cX3), and that
F +G = c(X0 +X2)(X1 +X3).
This leads to a savings of 1M + 1S from the naive analysis, at the cost of extramultiplications by c.
Corollary 21. Duplication on C can be carried out in 2M + 5S + 7mc.
Proof. We describe the evaluation of the forms of Corollary 20, using the equiv-alent expressions. Setting (U, V,W ) = ((X0 +X2)2, (X1 +X3)2, (X0 + cX1)2),
G2 = (U + c2V +W )WP and F 2 = G2 + c2UV,
from which the duplication formula can be expressed as:
(cU2 : U2+c−4V 2+(U+c2V+W )W+c2UV : cV 2 : U2+c−4V 2+(U+c2V+W )W ).
We scale by c4 to have only integral powers of c, which gives the
– Evaluate (U, V,W ) = ((X0 +X2)2, (X1 +X3)2, (X0 + cX1)2) with 3S+ 1mc.– Evaluate c5(X0 +X2)4 = c5U2 with 1S + 1mc, storing U2.– Evaluate c5(X1 +X3)4 = c5V 2 with 1S + 1mc, storing V 2.– Evaluate c2V , c2UV , (U + c2V +W )W with 2M + 1mc, then set
c4(X0 +X2)4 + (X1 +X3)4 = c4U2 + V 2,c4G2 = c4(U + c2V +W )W,c4F 2 = c4G2 + c6UV,
using 3mc, followed by additions. This gives the asserted complexity. ut
Remark. The triple (U, V,W ), up to scalars, can be identified with the variables(A,B,C) of the EFD [6] in the improvement of Bernstein et al. [4] to the dupli-cation algorithm of Kim and Kim [16] in “extended Lopez-Dahab coordinates”with a2 = 0. In brief, the extended Lopez-Dahab coordinates defines a curveY 2 = (X2 + a6)XZ, in a (1, 2, 1, 2)-weighted projective space with coordinatefunctions X, Y , Z, Z2. We embed this in a standard P3, with embedding divisorclass 4(O), by the map (X2, Y,XZ,Z2). By Lemma 5 this is linearly isomorphicto the curve C in split µµ4-normal form. One derives an equivalent complexityfor duplication on this P3 model, and duplication on C differs only by the costof scalar multiplications involved in the linear transformation to C.
We remark that this can be interpretted as a factorization of the duplicationmap as follows. Letting D be the image of C given by (U, V,W ) in P2, the Kim
and Kim algorithm can be expressed as a composition Cϕ−−→ D
ψ−−→ C whereϕ and ψ are each of degree 2, with ϕ purely inseparable and ψ separable. Thecurve D is a singular quartic curve in P2, given by a well-chosen incompletelinear system. The nodal singularities of D are oriented such that the resolvedpoints have the same image under ψ. The omission of a fourth basis element ofthe complete linear system allows one to save 1S in its computation.
In order to best optimize the multiplications by scalars, we can apply a co-ordinate scaling. The split µµ4-normal descends to a (non-split) µµ4-normal formover any subfield containing the parameter s = c−4, by renormalization of coor-dinates:
s(X1 +X3)2 +X0X2, (X0 +X2)2 = X1X3.
In this form the duplication polynomials require fewer multiplications by con-stants:(
(X0 +X2)4 : (X0 +X2)4 + s2(X1 +X3)4 + (X0 +X3)2(X1 +X2)2 :s(X1 +X3)4 : (X0 +X2)4 + s2(X1 +X3)4 + (X0 +X1)2(X2 +X3)2
),
yielding 2M + 5S + 2ms.
Addition law projections for the split µ4-normal form
Let C = Cc be an elliptic curve in µµ4-normal form and E = Ec2 be an ellipticcurve in Z/4Z-normal form. In view of Theorem 13, there is an explicit isomor-phism ι : C → E, determined by the application of the skew-Segre embeddingto the pair of projections πi : C → P1:
π1((X0 : X1 : X2 : X3)) ={
(cX0 : X1 +X3),(X1 +X3 : cX2),
π2((X0 : X1 : X2 : X3)) ={
(X0 +X2 : cX1),(cX3 : X0 +X2).
The first projection π1 determines a map to C/〈[−1]〉 ∼= P1, and the secondprojection π2 satisfies π2 ◦ [−1] = σ ◦ π2, where σ((U0 : U1)) = (U1 : U0).As a consequence of the addition law structure of Theorem 18, the addition lawprojections C×C → P1 associated to these projections take a particularly simpleform.
Corollary 22. If πi : C → P1 are the projections defined above, the additionlaw projections π1 ◦ µ and π2 ◦ µ are respectively spanned by{
(X0Y0 +X2Y2, X1Y1 +X3Y3),(X1Y3 +X3Y1, X2Y0 +X0Y2)
}and
{(X0Y3 +X2Y1, X1Y0 +X3Y2),(X1Y2 +X3Y0, X0Y1 +X2Y3)
}·
Proof. The addition law projections can be verified in Echidna [19]. ut
The skew-Segre embedding of P1×P1 in P3 induces a map to the isomorphiccurve E in Z/4Z-normal form, rather than the µµ4-normal form. These additionlaw projections play a central role in the study of the Kummer arithmetic inSection 8, defined more naturally in terms of E.
8 Kummer quotients and the Montgomery ladder
For an abelian variety A, the quotient variety K (A) = A/{[±1]} is called theKummer variety of A. We investigate explicit models for the Kummer curvesK (E) and K (C) where E = Ec2 and C = Cc are isomorphic elliptic curvesin Z/4Z-normal form and µµ4-normal form, respectively. The objective of thisstudy is to obtain a Montgomery ladder [23] for efficient scalar multiplicationon these curves. Such a Montgomery ladder was developed for Kummer curves(or lines since they are isomorphic to the projective line P1) in characteristic 2by Stam [24]. More recently Gaudry and Lubicz [12] developed efficient pseudo-addition natively on a Kummer line K = P1 by means of theta identities.Neither the method of Stam nor Gaudry and Lubicz provides recovery of pointson the curve. We show that for fixed P , the morphism E → K ×K sendingQ to (Q,Q− P ), used for initialization of the Montgomery ladder, is in factan isomorphism with its image. As a consequence we rederive the equations ofGaudry and Lubicz for pseudo-addition, together with an algorithm for pointrecovery. In addition, knowledge of the curve equation (in K ×K ) permits thetrade-off of a squaring for a multiplication by a constant depending on the basepoint P (see Corollary 26).
Kummer curves
We consider the structure of K (E) = E/{[±1]} and K (C) = C/{[±1]} forelliptic curves E = Ec2 in Z/4Z-normal form and C = Cc in split µµ4-normalform, respectively. The former has a natural identification with P1 equippedwith the covering π1 : E → K (E), given by
(X0 : X1 : X2 : X3) 7→{
(X0 : X1),(X3 : X2).
The latter quotient has a plane model K (C) : Y 2 = c2XZ in P2 obtained bytaking the [−1]-invariant basis {X0, X1 + X3, X2}. For E = Ec2 and C = Ccas above, the isomorphism ι : C → E of Theorem 13 induces an isomorphismι : K (C)→ K (E) = P1 of Kummer curves given by
ι(X : Y : Z) ={
(cX : Y ),(Y : cZ),
with inverse (U0 : U1) 7→ (U20 : cU0U1 : U2
1 ). Hereafter we fix this isomorphism,and obtain the covering morphism C → K (E):
(X0 : X1 : X2 : X3) 7→{
(cX0 : X1 +X3),(X1 +X3 : cX2).
We denote this common Kummer curve by K , to distinguish the curve withinduced structure from the elliptic curve covering (by both E and C) from P1.
Montgomery endomorphism
The Kummer curve K (of an arbitrary elliptic curve E) no longer supports anaddition morphism, however scalar multiplication [n] is well-defined, since [−1]commutes with [n]. We investigate the general construction of the Montgomeryladder for the Kummer quotient. For this purpose we define the Montgomeryendomorphism E × E → E × E:(
2 01 1
)(Q,R) = (2Q,Q+R).
In general this endomorphism, denoted ϕ, is not well-defined on K ×K . Instead,for fixed P ∈ E(k) we consider
∆P = {(Q,R) ∈ E × E | Q−R = P} ∼= E,
and let K (∆P ) be the image of ∆P in K ×K , which we call a Kummer-orientedcurve. In what follows we develop algorithmically the following observations (seeTheorems 23, 24, and 25):
1. The morphism ∆P → K (∆P ) is an isomorphism for any P 6∈ E[2].2. The Montgomery endomorphism is well-defined on K (∆P ).
By means of the elliptic curve structure on ∆P determined by the isomor-phism E → ∆P given by Q 7→ (Q,Q − P ), the Montgomery endomorphism isthe duplication morphism (i.e. ϕ(Q,Q−P ) = (2Q, 2Q−P )). On the other hand,the Montgomery endomorphism allows us to represent scalar multiplication onP symmetrically as a sequence of compositions. Precisely, we let ϕ0 = ϕ, letσ be the involution σ(Q,R) = (−R,−Q) of ∆P , which induces the exchangeof factors on K (∆P ), and set ϕ1 = σ ◦ ϕ ◦ σ. For an integer n with binaryrepresentation nrnr−1 . . . n1n0 we may compute nP by the sequence
ϕn0 ◦ ϕn1 · · · ◦ ϕnr−1(P,O) = ((n+ 1)P, nP ),
returning the second component.This composition representation for scalar multiplication on E × E is a
double-and-always-add algorithm [9], which provides a symmetry protectionagainst side-channel attacks in cryptography (see Joye and Yen [15, Section 4]),but is inefficient due to insertion of redundant additions. When applied toK (∆P ), on the other hand, this gives a (potentially) efficient algorithm, conju-gate duplication, for carrying out scalar multiplication. In view of this, K (∆P )should be thought of as a model oriented for carrying out efficient scalar multi-plication on a fixed point P in E(k).
The Kummer-oriented curves K (∆P )
Let E = Ec2 be a curve in Z/4Z-normal form, let P = (t0 : t1 : t2 : t3) be afixed point in E(k), and let K (∆P ) be the Kummer-oriented curve in K 2, withcoordinate functions ((U0, U1), (V0, V1)).
Theorem 23. The Kummer-oriented curve K (∆P ) in K 2, for P = (t0 : t1 :t2 : t3), has defining equation
t20(U0V1 + U1V0)2 + t21(U0V0 + U1V1)2 = c2t0t1U0U1V0V1.
If P is not a 2-torsion point, the morphism κ : E → K (∆P ), defined by Q 7→(Q,Q− P ), is an isomorphism, given by
π1 ◦ κ(X0 : X1 : X2 : X3) = (U0 : U1) ={
(X0 : X1),(X3 : X2),
π2 ◦ κ(X0 : X1 : X2 : X3) = (V0 : V1) ={
(t0X0 + t2X2 : t3X1 + t1X3),(t1X1 + t3X3 : t2X0 + t0X2),
with inverse
π1 ◦ κ−1((U0 : U1), (V0 : V1)) = (U0 : U1)
π2 ◦ κ−1((U0 : U1), (V0 : V1)) ={
(t1U0V0 + t2U1V1 : t0U0V1 + t3U1V0),(t3U0V1 + t0U1V0 : t2U0V0 + t1U1V1).
Proof. The form of κ follows from the definition of the addition law. The equa-tion for the image curve can be computed by taking resultants, and verifiedsymbolically. The composition of κ with projection onto the first factor is theKummer quotient of degree 2. However, for all P not in E[2], the inverse mor-phism induces a nontrivial involution
(Q,Q− P ) 7−→ (−Q,−Q− P ) = (Q,Q+ P )
on K (∆P ). Consequently the map to K (∆P ) has degree one, and being non-singular, gives an isomorphism. ut
Remark. We observe that K (∆P ) = K (∆−P ) in K 2, but that a change ofbase point changes κ by [−1].
The isomorphism of Ec2 with Cc lets us derive the analogous result for curvesin µµ4-normal form.
Theorem 24. Let C = Cc be an elliptic curve in split µµ4-normal form withrational point S = (s0 : s1 : s2 : s3). The Kummer-oriented curve K (∆S) inK 2 is given by the equation
s0(U0V1 + U1V0)2 + s2(U0V0 + U1V1)2 = c(s1 + s3)U0U1V0V1.
If S is not a 2-torsion point, the morphism λ : C → K (∆S) is an isomorphism,and defined by
π1 ◦ λ(X0 : X1 : X2 : X3) ={
(cX0 : X1 +X3),(X1 +X3 : cX2),
π2 ◦ λ(X0 : X1 : X2 : X3) ={
(s0X0 + s2X2 : s1X1 + s3X3),(s3X1 + s1X3 : s2X0 + s0X2),
with inverse λ−1((U0 : U1), (V0 : V1)) equal to
{((s1 + s3)U2
0V0 : (s0U20 + s2U
21 )V1 + cs1U0U1V0 : (s1 + s3)U2
1V0 : (s0U20 + s2U
21 )V1 + cs3U0U1V0),
((s1 + s3)U20V1 : (s2U2
0 + s0U21 )V0 + cs3U0U1V1 : (s1 + s3)U2
1V1 : (s2U20 + s0U
21 )V0 + cs1U0U1V1).
Proof. The isomorphism ι : Ec2 → Cc sending S to T = (t0 : t1 : t2 : t3) inducesthe isomorphism (s0 : s1+s3 : s2) = (t20 : ct0t1 : t21), by which we identify K (∆P )and K (∆S). The form of the morphism λ follows from the form of projectiveaddition laws of Corollary 22, and its inverse can be verified symbolically. ut
We now give explicit maps and complexity analysis for the Montgomery endo-morphism ϕ(Q,R) = (2Q,Q+R), on the Kummer quotient K (∆P ) (or K (∆S)setting (t0 : t1) = (cs0 : s1 + s3) = (s1 + s3 : cs2)). In view of the application toscalar multiplication on E or C, this gives an asymptotic complexity per bit ofn, for computing [n]P .
Theorem 25. The Montgomery endomorphism ϕ is defined by:
π1 ◦ ϕ((U0 : U1), (V0 : V1)) = (U40 + U4
1 : cU20U
21 ),
π2 ◦ ϕ((U0 : U1), (V0 : V1)) = (t1(U0V0 + U1V1)2 : t0(U0V1 + U1V0)2).
The sets of defining polynomials are well-defined everywhere and the follow-ing maps are projectively equivalent modulo the defining ideal:
(t1(U0V0 + U1V1)2 : t0(U0V1 + U1V0)2)= (t0(U0V0 + U1V1)2 : t1(U0V0 + U1V1)2 + c t0(U0V0)(U1V1))= (t0(U0V1 + U1V0)2 + c t1(U0V1)(U1V0) : t1(U0V1 + U1V0)2).
Assuming the point normalization with t0 = 1 or t1 = 1, this immediately givesthe following corollary.
Corollary 26. The Montgomery endomorphism on K (∆P ) can be computedwith 4M + 5S + 1mt + 1mc or with 4M + 4S + 1mt + 2mc.
The formulas so obtained agree with those of Gaudry and Lubicz [12]. Thefirst complexity result agrees with theirs and the second obtains a trade-offof one mc for one S using the explicit equation of K (∆P ) in K 2. Finally,the isomorphisms of Theorems 23 and 24 permit point recovery, hence scalarmultiplication on the respective elliptic curves.
9 Conclusion
We conclude with a tabulation of the best known complexity results for doublingand addition algorithms on projective curves (taking the best reported algorithmfrom the EFD [6]). We include the Hessian model, the only cubic curve model,for comparison. It covers only curves with a rational 3-torsion point. BinaryEdwards curves [4] cover general ordinary curves, but the best complexity resultwe give here is for d1 = d2 which has a rational 4-torsion point. Similarly, theLopez-Dahab model with a2 = 0 admits a rational 4-torsion point, hence coversthe same classes, but the fastest arithmetic is achieved on the quadratic twistswith a2 = 1. The results here for addition and duplication on µµ4-normal formreport the better result (in terms of constant multiplications m) for the non-splitµµ4 model (see the remark after Corollary 21 and Corollary 28 in the appendix).
Curve model Doubling AdditionZ/4Z-normal form 7M + 2S 12MHessian 6M + 3S 12MBinary Edwards 2M + 5S + 2m 16M + 1S + 4mLopez-Dahab (a2 = 0) 2M + 5S + 1m 14M + 3SLopez-Dahab (a2 = 1) 2M + 4S + 2m 13M + 3Sµµ4-normal form 2M + 5S + 2m 7M + 2S
This provides for the best known addition algorithm combined with essentiallyoptimal doubling. We note that binary Edwards curves with d1 = d2 and theLopez-Dahab model with a2 = 0 and have canonical projective embeddings inP3 such that the transformation to µµ4-normal form is linear, so that, conversely,these models can benefit from the efficient addition of the µµ4-normal form.
References
1. D. J. Bernstein, T. Lange, Faster addition and doubling on elliptic curves. Advancesin cryptology—ASIACRYPT 2007, Lecture Notes in Computer Science, 4833, 29–50, 2007.
2. D. J. Bernstein, P. Birkner, M. Joye, T. Lange, C. Peters, Twisted Edwards curves.Progress in cryptology – AFRICACRYPT 2008, Lecture Notes in Computer Sci-ence, 5023, 389–405, 2008.
3. D. J. Bernstein, T. Lange, A complete set of addition laws for incomplete Edwardscurves. J. Number Theory, 131, 858–872, 2011.
4. D. J. Bernstein, T. Lange, R. Rezaeian Farashahi, Binary Edwards curves. Crypto-graphic hardware and embedded systems (CHES 2008, Washington, D.C.), LectureNotes in Computer Science, 5154, 244–265, 2008.
5. D. J. Bernstein, D. Kohel, and T. Lange. Twisted Hessian curves, unpublished2009.
6. D. J. Bernstein, T. Lange, Explicit-formulas database, 2012. URL: http://www.hyperelliptic.org/EFD/
7. W. Bosma and H. W. Lenstra, Jr. Complete systems of two addition laws forelliptic curves. J. Number Theory, 53 (2), 229–240, 1995.
8. D. V. Chudnovsky and G. V. Chudnovsky. Sequences of numbers generated byaddition in formal groups and new primality and factorization tests. Adv. in Appl.Math., 7, (4), 385–434, 1986.
9. J.-S. Coron, Resistance against differential power analysis for elliptic curve cryp-tosystems. Cryptographic Hardware and Embedded Systems (CHES 1999), LectureNotes in Computer Science, 1717, 292–302, 1999.
10. O. Diao, Quelques aspects de l’arithmtique des courbes hyperelliptiques de genre 2,Ph.D. thesis, Universite de Rennes, 2011.
11. H. Edwards. A normal form for elliptic curves. Bulletin of the American Mathe-matical Society, 44, 393–422, 2007.
12. P. Gaudry and D. Lubicz, The arithmetic of characteristic 2 Kummer surfaces andof elliptic Kummer lines. Finite Fields and Their Applications, 15, 2, 246–260,2009.
13. H. Hisil, K. K.-H. Wong, G. Carter, E. Dawson, Twisted Edwards curves revisited.Advances in cryptology – ASIACRYPT 2008, Lecture Notes in Computer Science,5350, 326–343, 2008.
14. M. Joye and R. Rezaeian Farashahi, Efficient Arithmetic on Hessian Curves. PublicKey Cryptography (PKC 2010, Paris), Lecture Notes in Computer Science, 6056,243–260, 2010.
15. M. Joye and S.-M. Yen, The Montgomery Powering Ladder. Cryptographic hard-ware and embedded systems (CHES 2002), Lecture Notes in Computer Science,2523, 291–302, 2003.
16. K. H. Kim, S. I. Kim, A New method for speeding up arithmetic on elliptic curvesover binary fields, 2007. URL: http://eprint.iacr.org/2007/181.
17. D. Kohel, Addition law structure of elliptic curves. Journal of Number Theory 131,Issue 5, 894–919, 2011.
18. D. Kohel, A normal form for elliptic curves in characteristic 2. Arithmetic, Ge-ometry, Cryptography and Coding Theory, (AGCT 2011, Luminy), talk notes, 15March 2011.
19. D. Kohel et al., Echidna algorithms, v.3.0, 2012. URL: http://echidna.maths.usyd.edu.au/echidna/index.html
20. H. Lange and W. Ruppert. Complete systems of addition laws on abelian varieties.Invent. Math., 79 (3), 603–610, 1985.
21. Magma Computational Algebra System, Computational Algebra Group, Universityof Sydney, 2012. URL: http://magma.maths.usyd.edu.au/.
22. J. S. Milne, Abelian Varieties, version 2.00, 2012. URL: http://www.jmilne.org/math/CourseNotes/av.html
23. P. L. Montgomery, Speeding the Pollard and elliptic curve methods of factorization,Mathematics of Computation, 48 243-264, 1987.
24. M. Stam. On Montgomery-like representations for elliptic curves over GF (2k),Public Key Cryptography (PKC 2003, Miami), Lecture Notes in Computer Science,2567, 240–253, 2003.
Appendix
By means of a renormalization of variables, the split µµ4-normal form can be putin µµ4-normal form (X0 + X2)2 = X1X3, s(X1 + X3)2 = X0X2, where s = c−4.This form loses the elementary symmetry given by cyclic permutation of thecoordinates, but by the Remark following Corollary 21, we are able to save onmultiplications by scalars in duplication. This renormalization gives the followingaddition laws (as a consequence of Theorem 18), and give an analogous savingsfor addition.
Theorem 27. Let C be an elliptic curve in µµ4-normal form: A basis for thespace of addition laws of bidegree (2, 2) is given by:
((X0Y0 +X2Y2)2, X0X1Y0Y1 +X2X3Y2Y3, s(X1Y1 +X3Y3)2, X0X3Y0Y3 +X1X2Y1Y2
),(
X0X1Y0Y3 +X2X3Y1Y2, (X1Y0 +X3Y2)2, X0X3Y2Y3 +X1X2Y0Y1, (X0Y3 +X2Y1)2),(
s(X1Y3 +X3Y1)2, X0X3Y1Y2 +X1X2Y0Y3, (X0Y2 +X2Y0)2, X0X1Y2Y3 +X2X3Y0Y1
),(
X0X3Y0Y1 +X1X2Y2Y3, (X0Y1 +X2Y3)2, X0X1Y1Y2 +X2X3Y0Y3, (X1Y2 +X3Y0)2).
·The absence of the constant s in the 2nd and 4th addition laws permits us tosave the 2m in the computation of addition.
Corollary 28. Addition of generic points on C can be carried out in 7M + 2S.
Proof. After evaluating (Z0, Z1, Z2, Z3) = (X0Y1, X1Y2, X2Y3, X3Y0) in the lastaddition law, the algorithm follows that of Corollary 19. ut
